Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security

New collaboration called Open Source Security Foundation (OpenSSF) consolidates industry efforts to improve the security of open source software

SAN FRANCISCO, Calif., Aug 3, 2020 – The Linux Foundation, today announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Purdue, SAFEcode, StackHawk, Trail of Bits, Uber and VMware.

Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent and any specifications and projects developed will be vendor-agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

“We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

With the formalization of the group, the open governance structure is established and includes a Governing Board (GB), a Technical Advisory Council (TAC) and a separate oversight for each working group and project. OpenSSF intends to host a variety of open source technical initiatives to support security for the world’s most critical open source software, all of which will be done in the open on GitHub.

For more information and to contribute to the project, please visit https://openssf.org

Resources

Threats, Risks & Mitigations of the Open Source Ecosystem, Open Source Security Coalition

Vulnerabilities in the Core, Harvard’s Lab for Innovation Science and Linux Foundation

Red Hat Product Security Risk Report, Red Hat

Governing Board Member Quotes

GitHub

“Every industry is using open source software, and it is our collective responsibility to help maintain a healthy and secure ecosystem,” said Jamie Cool, Vice President of Product Management, Security at GitHub. “GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence. We look forward to this next step in the evolution of the coalition, and serving as a founding member of the Open Source Security Foundation.”

Google

“Security is always top of mind for Google and our users. We have developed robust internal security tools and systems for consuming open source software internally, for our users, and for our OSS-based products. We believe in building safer products for everyone with far-reaching impacts, and we are excited to work with the broader community through the OpenSSF. We look forward to sharing our innovations and working together to improve the security of open source software we all depend on,” said Director of Product Security, Google Cloud, James Higgins.

IBM

“Open source has become mainstream in the enterprise. As such, the security of the open source supply-chain is of paramount importance to IBM and our clients,” said Christopher Ferris, IBM Fellow and CTO Open Technology. “The launch of the Open Source Security Foundation marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open source wisely.”

JPMorgan Chase

“Developing, growing and using open source software is a top priority for JPMorgan Chase. We are committed to partner with the community through the Open Source Security Foundation to ensure trust and security in open source software for everyone” stated Lori Beer, Global Chief Information Officer, JPMorgan Chase.

Microsoft

“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own,” said Mark Russinovich, Chief Technology Officer, Microsoft Azure. “As with everything open source, building better security is a community-driven process. All of us at Microsoft are excited to be a founding member of the Open Source Security Foundation and we look forward to partnering with the community to create new security solutions that will help us all.”

NCC Group

“The security and privacy of the internet is essential for the protection of individuals, organizations and critical infrastructure, and also the future of democracy and our civil liberties. Given the fundamental role open source plays in powering our world, creating scalable resources and tools to help software maintainers, developers, and users understand and improve their projects’ security is a significant step toward a safer and more secure world. By bringing together a dedicated group of technologists with a shared desire to improve the security of open source software, together we can begin to remediate – or even prevent – security vulnerabilities at a scale not previously possible,” stated Jennifer Fernick, Head of Research at global cyber security expert NCC Group.”

OWASP

“Joining the Linux Foundation and the Open Source Security Foundation is central to our mission to advance the state of application security, especially as OpenSSF is already aligned with OWASP’s core philosophies of openness, transparency and innovation,” said Andrew van der Stock, Executive Director of OWASP, the Open Web Application Security Project. “We look forward to working with all of the participating organizations to improve the state of software security, and work together on projects of vital interest to software developers, organizations, and governments around the world.”

Red Hat

“Red Hat is unrelenting in our commitment to open source and in participating to make upstream projects successful. We believe security is an essential part of healthy project communities,” said Chris Wright, CTO of Red Hat, “Now, more than ever, is the time for us to join together with other leaders to help ensure key projects are secure and consumable in our products, across enterprises, and as part of the hybrid cloud. We are excited to help found this Open Source Software Foundation.”

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.